<%#
kind: provision
name: Kickstart default
model: ProvisioningTemplate
oses:
- AlmaLinux
- CentOS
- CentOS_Stream
- Fedora
- RedHat
- Rocky
test_on:
- host4dhcp
- host6dhcp
- host4and6dhcp
- host4static
- host6static
- rhel9_dhcp
- rocky8_dhcp
- rocky9_dhcp
description: |
  The provisioning template for kickstart based distributions. The output is fetched by Anaconda installer during
  the network based installation. To customize the installation, modify the host parameters.

  This template accepts the following parameters:
  - lang: string (default="en_US.UTF-8")
  - selinux-mode: string (default="enforcing")
  - keyboard: string (default="us")
  - time-zone: string (default="UTC")
  - http-proxy: string (default="")
  - http-proxy-port: string (default="")
  - force-puppet: boolean (default=false)
  - enable-epel: boolean (default=false)
  - enable-puppetlabs-repo: boolean (default=false)
  - enable-puppetlabs-puppet5-repo: boolean (default=false)
  - enable-puppetlabs-puppet6-repo: boolean (default=false)
  - enable-official-puppet7-repo: boolean (default=false)
  - enable-official-puppet8-repo: boolean (default=false)
  - skip-puppet-setup: boolean (default=false)
  - salt_master: string (default=undef)
  - ntp-pools: array (default=undef)
  - ntp-server: string (default=undef)
  - bootloader-append: string (default="nofb quiet splash=quiet")
  - disable-firewall: boolean (default=false)
  - kdump-options: string (default=undef)
  - package_upgrade: boolean (default=true)
  - disable-uek: boolean (default=false)
  - use-ntp: boolean (default depends on OS release)
  - fips_enabled: boolean (default=false)
  - encrypt_grub: boolean (default=false)
  - use_graphical_installer: boolean (default=false)
  - enable-remote-execution-pull: boolean (default=false)
  - additional-packages: string (default=undef)

  Reference links:
  - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/installation_guide/s1-kickstart2-options
  - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax
  - https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/automatically_installing_rhel/kickstart-commands-and-options-reference_rhel-installer
  - https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/automatically_installing_rhel/kickstart-commands-and-options-reference_rhel-installer
-%>
<%
  rhel_compatible = @host.operatingsystem.family == 'Redhat' && @host.operatingsystem.name != 'Fedora'
  is_fedora = @host.operatingsystem.name == 'Fedora'
  os_major = @host.operatingsystem.major.to_i
  os_minor = @host.operatingsystem.minor.to_i
  # safemode renderer does not support unary negation
  proxy_uri = host_param('http-proxy') ? "http://#{host_param('http-proxy')}:#{host_param('http-proxy-port')}" : nil
  proxy_string = proxy_uri ? " --proxy=#{proxy_uri}" : ''
  puppet_enabled = !host_param_true?('skip-puppet-setup') && (host_puppet_server.present? || host_param_true?('force-puppet'))
  salt_enabled = host_param('salt_master') ? true : false
  chef_enabled = @host.respond_to?(:chef_proxy) && @host.chef_proxy
  use_ntp = host_param_true?('use-ntp')
  iface = @host.provision_interface
  appstream_present = false
  use_rhsm = (@host.operatingsystem.name == 'RedHat' || @host.operatingsystem.name == 'RHEL') && os_major >= 9
-%>
# This kickstart file was rendered from the Foreman provisioning template "<%= @template_name %>".
# for <%= @host %> running <%= @host.operatingsystem.name %> <%= os_major %> <%= @arch %>
# Organization: <%= @host.organization %>
# Location: <%= @host.location %>
<%
if plugin_present?('katello')
-%>
# Lifecycle environment: <%= @host.single_lifecycle_environment %>
# Content View: <%= @host.single_content_view %>
# Content Source: <%= @host.content_source %>
<% end -%>

<% if rhel_compatible && os_major <= 7 -%>
install
<% end -%>
<%
if host_param('kickstart_liveimg')
  img_name = host_param('kickstart_liveimg')
  liveimg_url = if host_param('kt_activation_keys')
    repository_url(img_name, 'isos')
  else
    if img_name.match(%r|^([\w\-\+]+)://|)
      img_name
    else
      "#{medium_uri}/#{img_name}"
    end
  end
%>
liveimg --url=<%= liveimg_url %> <%= proxy_string %>
<% else %>
<%= @mediapath %><%= proxy_string %>
<% @additional_media.each do |medium| -%>
repo --name <%= medium[:name] %> --baseurl <%= medium[:url] %> <%= medium[:install] ? ' --install' : '' %><%= proxy_string %>
<% end -%>
<%= snippet_if_exists(template_name + " custom repositories") %>
<% end %>
lang <%= host_param('lang') || 'en_US.UTF-8' %>
selinux --<%= host_param('selinux-mode') || host_param('selinux') || 'enforcing' %>
keyboard <%= host_param('keyboard') || 'us' %>

<%
# start with provisioning interface, then other non-bond non-bridge interfaces and the bonds + bridges at the end
@host.interfaces.reject{ |iface| iface.bmc? }.sort_by { |iface| (iface.bond? || iface.bridge?) ? 0 : iface.provision? ? 20 : 10 }.each do |iface|
-%>
<%= snippet(
      'kickstart_network_interface',
      variables: {
        iface: iface,
        host: @host,
        static: @static,
        static6: @static6
      }
    ) -%>
<%
end
-%>

rootpw --iscrypted <%= root_pass %>
<%# Firewall -%>
<% if host_param_true?('disable-firewall') -%>
firewall --disable
<% else -%>
firewall --service=ssh
<% end -%>
<%# Kdump -%>
<% if host_param('kdump-options').present? -%>
%addon com_redhat_kdump <%= host_param('kdump-options') %>
%end
<% end -%>
<%# Authentication options -%>
<% if (is_fedora && os_major >= 28) || (rhel_compatible && os_major > 7) -%>
authselect --useshadow --passalgo=<%= @host.operatingsystem.password_hash.downcase || 'sha256' %> --kickstart
<% else -%>
authconfig --useshadow --passalgo=<%= @host.operatingsystem.password_hash.downcase || 'sha256' %> --kickstart
<% end -%>
<%# Timezone + NTP -%>
<% if rhel_compatible && os_major < 9 -%>
timezone --utc <%= host_param('time-zone') || 'UTC' %> <%= host_param('ntp-server') ? "--ntpservers #{host_param('ntp-server')}" : '' %>
<% else -%>
timezone --utc <%= host_param('time-zone') || 'UTC' %>
<% if host_param('ntp-pools') -%>
<% host_param('ntp-pools').each do |ntppool| -%>
timesource --ntp-pool <%= ntppool %>
<% end -%>
<% elsif host_param('ntp-server') -%>
timesource --ntp-server <%= host_param('ntp-server') %>
<% end -%>
<% end -%>

<% if rhel_compatible -%>
services --disabled gpm,sendmail,cups,pcmcia,isdn,rawdevices,hpoj,bluetooth,openibd,avahi-daemon,avahi-dnsconfd,hidd,hplip,pcscd
<% end -%>

<% if host_enc['parameters']['realm'] && @host.realm && @host.realm.realm_type == 'Active Directory' -%>
# One-time password will be requested at install time. Otherwise, $HOST[OTP] is used as a placeholder value.
realm join --one-time-password='<%= @host.otp || "$HOST[OTP]" %>' <%= @host.realm %>
<% end -%>

<% if @host.operatingsystem.name == 'OracleLinux' && os_major == 7 && os_minor < 5 -%>
repo --name="Server-Mysql"
<% end -%>

bootloader --location=mbr --append="<%= host_param('bootloader-append') || 'nofb quiet splash=quiet' %>" <%= grub_pass %>

<% if @dynamic -%>
%include /tmp/diskpart.cfg
<% else -%>
<%= @host.diskLayout %>
<% end -%>
<%= snippet('kickstart_rhsm') if use_rhsm -%>

<% if host_param_true?('use_graphical_installer') -%>
graphical
<% else -%>
skipx
text
<% end -%>
reboot<% if host_param_true?('install_reboot_kexec') %> --kexec<% end %>

%packages
<%= snippet_if_exists(template_name + " custom packages") %>
yum
<% if os_major < 8 -%>
dhclient
<% end -%>
<% if use_ntp -%>
ntp
-chrony
<% else -%>
chrony
-ntp
<% end -%>
<% if rhel_compatible && os_major < 9 -%>
wget
<% end -%>
<% if host_param_true?('fips_enabled') -%>
<%=   snippet 'fips_packages' %>
<% end -%>
<% if host_param('additional-packages').present? -%>
<%= host_param('additional-packages').split(" ").join("\n") %>
<% end -%>
%end

<% if @dynamic -%>
%pre --log=/tmp/install.pre.dynamic.log
<%= snippet_if_exists(template_name + " custom pre") %>
<%= @host.diskLayout %>
%end
<% end -%>

%post --nochroot
exec < /dev/tty3 > /dev/tty3
chvt 3
(

<% if host_param_false?('no-resolv-override') -%>
cp -va /etc/resolv.conf /mnt/sysimage/etc/resolv.conf
<% end -%>

<%= snippet_if_exists(template_name + " custom postnochroot") -%>

chvt 1
) 2>&1 | tee /mnt/sysimage/root/install.postnochroot.log
%end

<%#
Main post script, if it fails the last post is still executed.
%>
%post
exec < /dev/tty3 > /dev/tty3
chvt 3
(
logger "Starting anaconda <%= @host %> postinstall"
<%= snippet 'ntp' %>

<%= snippet 'yum_proxy' %>

<% if rhel_compatible && host_param_true?('enable-epel') -%>
<%= snippet 'epel' -%>
<% end -%>

<%= snippet 'redhat_register' if rhel_compatible && !use_rhsm -%>

<% if @host.realm && (@host.realm.realm_type == 'FreeIPA' || @host.realm.realm_type == 'Red Hat Identity Management') -%>
<%= snippet 'freeipa_register' %>
<% end -%>

<% unless host_param_false?('package_upgrade') -%>
# update all the base packages from the updates repository
if [ -f /usr/bin/dnf ]; then
  dnf -y update
else
  yum -t -y update
fi
<% end -%>

<%= snippet('remote_execution_ssh_keys') %>

<% if plugin_present?('katello') && host_param_true?('enable-remote-execution-pull') -%>
<%= save_to_file('/root/remote_execution_pull_setup.sh', snippet('remote_execution_pull_setup'), verbatim: true) %>
chmod +x /root/remote_execution_pull_setup.sh
/root/remote_execution_pull_setup.sh
<% end -%>

<%= snippet "blacklist_kernel_modules" %>

<% if chef_enabled %>
<%= snippet 'chef_client' %>
<% end -%>

<% if puppet_enabled %>
<% if host_param_true?('enable-puppetlabs-repo') || host_param_true?('enable-official-puppet8-repo') || host_param_true?('enable-official-puppet7-repo') || host_param_true?('enable-puppetlabs-puppet6-repo')|| host_param_true?('enable-puppetlabs-puppet5-repo') -%>
<%= snippet 'puppetlabs_repo' %>
<% end -%>
<%= snippet 'puppet_setup' %>
<% end -%>

<% if salt_enabled %>
<%= snippet 'saltstack_setup' %>
<% end -%>

<% if @host.operatingsystem.name == 'OracleLinux' && host_param_true?('disable-uek') -%>
# Uninstall the Oracle Unbreakable Kernel packages
yum -t -y remove kernel-uek*
sed -e 's/DEFAULTKERNEL=kernel-uek/DEFAULTKERNEL=kernel/g' -i /etc/sysconfig/kernel
<% end -%>

<%= snippet('ansible_provisioning_callback') %>

<%= snippet 'efibootmgr_netboot' %>

<%= snippet_if_exists(template_name + " custom post") %>

<%= snippet 'insights' if host_param_true?('host_registration_insights') && os_major < 9 -%>
<%= snippet 'disk_enc_clevis_tang' if host_param('disk_enc_tang_servers') -%>

touch /tmp/foreman_built

<% if host_param_true?('use_graphical_installer') -%>
chvt 6
<% else -%>
chvt 1
<% end -%>
) 2>&1 | tee /root/install.post.log
%end

# copy %pre log files into chroot
%post --nochroot
cp -vf /tmp/*.pre.*.log /mnt/sysimage/root/
%end

<%#
The last post section halts Anaconda to prevent endless loop in case HTTP request fails
%>
%post --erroronfail --log=/root/install-callhome.post.log

<%= snippet 'eject_cdrom' -%>

if test -f /tmp/foreman_built; then
  echo "calling home: build is done!"
  <%= indent(2, skip1: true, skip_content: 'EOF') { snippet('built', :variables => { :endpoint => 'built', :method => 'POST', :body_file => '/root/install.post.log' }) } -%>
else
  echo "calling home: build failed!"
  <%= indent(2, skip1: true, skip_content: 'EOF') { snippet('built', :variables => { :endpoint => 'failed', :method => 'POST', :body_file => '/root/install.post.log' }) } -%>
fi

sync
%end
